-
-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability on @storybook/addon-docs related with trim #14603
Comments
I can add a little data from my experience: specifying |
Exactly, @nickiaconis. I´m facing the same issue. Do you know if is there a plan to fix this in the next release? |
Following this. I am experiencing the same warnings on my side. |
We are on the most recent version of @mdx-js/loader. Any ideas short of forking it? |
@shilman I created an issue on |
There was a followup comments to the issue @BiancaArtola created: mdx-js/mdx#1531 (comment) |
Nice @sfc-gh-acourtney. I can't wait for MDX2 -- the original release target was last July so ... 😰 |
The fix for me was to add to my package.json:
|
@RyanMacBern What version of |
@AElmoznino I believe "resolutions" is a Yarn feature. Happy to be corrected but I think the "has workaround" is only for Yarn users? |
I got the abovee working with https://www.npmjs.com/package/npm-force-resolutions |
We used |
fix comes from here: storybookjs/storybook#14603 (comment) it can be removed once storybook updates mdx and mdx updates remark-parse
That does not work if you specify it in package.json either. The old version is still installed. |
Plus adding another dependency just to solve a vulnerability introduced by one does not make a whole lot of sense. It's probably OK, if you already use it in your project (slash those troubles building the code, of course) |
@sfc-gh-acourtney fwiw, I raised this issue (inadvertently duplicately) at mdx-js/mdx#1597 . No idea when 2.0 of mdx-js/mdx@2 will come out... seems there's some dispute (2.x has been in the works for > 1 year). He does point out that there's another package one could look into using instead... https://github.com/wooorm/xdm. I haven't looked at how api-compatible it is, though. |
Using npm force resolutions later will give me this error when I run
Is this safe to ignore? |
The API for trim hasn't changed: https://github.com/Trott/trim/blob/main/CHANGELOG.md The issue stems from the version of remark used in Storybook. Issue open here: storybookjs/storybook#14603 And the change to remark to make this happen: remarkjs/remark#782 TL;DR: Force it and move on with our lives
Will this be fixed or need to use resolutions hack temporarily? |
Any news on fixing this vulnerability? |
- Regular expression denial of service - Regular Expression Denial of Service in trim Those problems are somehow related to storybook and will probably be fixed in future release. See storybookjs/storybook#14603
- Storybook related - Prettier - Typedoc The remaining vulnerable packackes `trim` and `glob-parent` is related to Storybook. There might come a fix for these once version 6.5 is released: storybookjs/storybook#14603 (comment)
- Storybook related - Prettier - Typedoc The remaining vulnerable packackes `trim` and `glob-parent` is related to Storybook. There might come a fix for these once version 6.5 is released: storybookjs/storybook#14603 (comment)
Same problem as well with glob-parent. Is there a hacky way to get around them? |
Some news about this topic? |
@aaschlote We can't upgrade the dependency until 7.0. If you are using Storybook Docs with MDX and you want to avoid this dependency, you can opt-in to MDX2 per https://github.com/storybookjs/storybook/blob/next/MIGRATION.md#opt-in-mdx2-support If you do that, you will still have the vulnerable dependency in your Hopefully 7.0 will be in alpha in a few weeks, at which point you'll be able to get a vulnerability-free dependency tree. |
storybook 6.4.22 introduces 19 high severity vulnerabilities with
Is there any change planned at all?? |
@IuliiaBondarieva please see my comment above. The opt-in MDXv2 upgrade is available in 6.5. The full upgrade is a breaking change and will come in 7.0 (next release) |
@shilman storybook 6.5 has introduced more vulnerabilities via the added Related, but module seems unmaintained: jakub-g/x-default-browser#8 |
Dependabot found dependency vulnerabilities were not fixed as they exist within dependencies for packages within package-lock. The ones found are related to Storybook and will be fixed in an upcoming version. See storybookjs/storybook#14603
Following: #18860 |
@GuillaumeCisco yes we can, it's on our list! |
@shilman could you please update @mdx-js/mdx to 2.0.x according to comment above? Looks like in 7 alpha.35 branch it's not updated, I tested it today.
|
- Updated issues emerging from yarn audit, specifically for Storybook. Following storybookjs/storybook#14603 using yarn resolutions https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/
Yay!! I just released https://github.com/storybookjs/storybook/releases/tag/v7.0.0-alpha.40 containing PR #19495 that references this issue. Upgrade today to the
Closing this issue. Please re-open if you think there's still more to do. |
This is working for me: "resolutions": {
"**/trim": "^0.0.3"
}, |
I know that it is not a bug, but I need to report a vulnerability that
@storybook/addon-docs
has.The following is the related dependencie tree:
@storybook/addon-docs
->@mdx-js/loader
->@mdx-js/mdx
->remark-mdx
->remark-parse
->trim 0.0.1
trim 0.0.1
has aReDoS
vulnerabilityPlease let me know if you need more information about this.
Can you fix this vuln?
The text was updated successfully, but these errors were encountered: